[openssh-commits] [openssh] 02/03: upstream: Remove references to ChallengeResponseAuthentication in

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jul 2 15:53:56 AEST 2021 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit c73b02d92d72458a5312bd098f32ce88868fd131
Author: dtucker at openbsd.org <dtucker at openbsd.org>
Date:   Fri Jul 2 05:11:20 2021 +0000

    upstream: Remove references to ChallengeResponseAuthentication in
    
    favour of KbdInteractiveAuthentication.  The former is what was in SSHv1, the
    latter is what is in SSHv2 (RFC4256) and they were treated as somewhat but
    not entirely equivalent.  We retain the old name as deprecated alias so
    config files continue to work and a reference in the man page for people
    looking for it.
    
    Prompted by bz#3303 which pointed out the discrepancy between the two
    when used with Match.  Man page help & ok jmc@, with & ok djm@
    
    OpenBSD-Commit-ID: 2c1bff8e5c9852cfcdab1f3ea94dfef5a22f3b7e
---
 readconf.c    | 18 +++++-------------
 servconf.c    | 17 ++++-------------
 sshd_config   |  4 ++--
 sshd_config.5 | 20 ++++++++------------
 4 files changed, 19 insertions(+), 40 deletions(-)

diff --git a/readconf.c b/readconf.c
index 22e69cb3..3bec3a9f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.357 2021/06/08 22:06:12 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.358 2021/07/02 05:11:21 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -145,7 +145,7 @@ typedef enum {
 	oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
 	oGatewayPorts, oExitOnForwardFailure,
 	oPasswordAuthentication,
-	oChallengeResponseAuthentication, oXAuthLocation,
+	oXAuthLocation,
 	oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward,
 	oPermitRemoteOpen,
 	oCertificateFile, oAddKeysToAgent, oIdentityAgent,
@@ -228,12 +228,12 @@ static struct {
 	{ "passwordauthentication", oPasswordAuthentication },
 	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
 	{ "kbdinteractivedevices", oKbdInteractiveDevices },
+	{ "challengeresponseauthentication", oKbdInteractiveAuthentication }, /* alias */
+	{ "skeyauthentication", oKbdInteractiveAuthentication }, /* alias */
+	{ "tisauthentication", oKbdInteractiveAuthentication },  /* alias */
 	{ "pubkeyauthentication", oPubkeyAuthentication },
 	{ "dsaauthentication", oPubkeyAuthentication },		    /* alias */
 	{ "hostbasedauthentication", oHostbasedAuthentication },
-	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
-	{ "skeyauthentication", oUnsupported },
-	{ "tisauthentication", oChallengeResponseAuthentication },  /* alias */
 	{ "identityfile", oIdentityFile },
 	{ "identityfile2", oIdentityFile },			/* obsolete */
 	{ "identitiesonly", oIdentitiesOnly },
@@ -1099,10 +1099,6 @@ parse_time:
 		intptr = &options->hostbased_authentication;
 		goto parse_flag;
 
-	case oChallengeResponseAuthentication:
-		intptr = &options->challenge_response_authentication;
-		goto parse_flag;
-
 	case oGssAuthentication:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@@ -2286,7 +2282,6 @@ initialize_options(Options * options)
 	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
 	options->fwd_opts.streamlocal_bind_unlink = -1;
 	options->pubkey_authentication = -1;
-	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
 	options->password_authentication = -1;
@@ -2440,8 +2435,6 @@ fill_default_options(Options * options)
 		options->fwd_opts.streamlocal_bind_unlink = 0;
 	if (options->pubkey_authentication == -1)
 		options->pubkey_authentication = 1;
-	if (options->challenge_response_authentication == -1)
-		options->challenge_response_authentication = 1;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
@@ -3207,7 +3200,6 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_fmtint(oBatchMode, o->batch_mode);
 	dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local);
 	dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
-	dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication);
 	dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
 	dump_cfg_fmtint(oCompression, o->compression);
 	dump_cfg_fmtint(oControlMaster, o->control_master);
diff --git a/servconf.c b/servconf.c
index 543e834a..c43bda8f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.380 2021/06/08 07:09:42 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.381 2021/07/02 05:11:21 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -140,7 +140,6 @@ initialize_server_options(ServerOptions *options)
 	options->gss_strict_acceptor = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
-	options->challenge_response_authentication = -1;
 	options->permit_empty_passwd = -1;
 	options->permit_user_env = -1;
 	options->permit_user_env_allowlist = NULL;
@@ -364,9 +363,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-		options->kbd_interactive_authentication = 0;
-	if (options->challenge_response_authentication == -1)
-		options->challenge_response_authentication = 1;
+		options->kbd_interactive_authentication = 1;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
 	if (options->permit_user_env == -1) {
@@ -599,8 +596,8 @@ static struct {
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-	{ "skeyauthentication", sDeprecated, SSHCFG_GLOBAL },
+	{ "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
+	{ "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
 	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
 	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
 	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -1596,10 +1593,6 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 		intptr = &options->kbd_interactive_authentication;
 		goto parse_flag;
 
-	case sChallengeResponseAuthentication:
-		intptr = &options->challenge_response_authentication;
-		goto parse_flag;
-
 	case sPrintMotd:
 		intptr = &options->print_motd;
 		goto parse_flag;
@@ -2904,8 +2897,6 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
 	dump_cfg_fmtint(sKbdInteractiveAuthentication,
 	    o->kbd_interactive_authentication);
-	dump_cfg_fmtint(sChallengeResponseAuthentication,
-	    o->challenge_response_authentication);
 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
 #ifndef DISABLE_LASTLOG
 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
diff --git a/sshd_config b/sshd_config
index 19b7c91a..4b3011ec 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -58,7 +58,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+#KbdInteractiveAuthentication yes
 
 # Kerberos options
 #KerberosAuthentication no
diff --git a/sshd_config.5 b/sshd_config.5
index 3b339aaf..07635932 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.331 2021/04/04 11:36:56 jmc Exp $
-.Dd $Mdocdate: April 4 2021 $
+.\" $OpenBSD: sshd_config.5,v 1.332 2021/07/02 05:11:21 dtucker Exp $
+.Dd $Mdocdate: July 2 2021 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -384,12 +384,6 @@ rsa-sha2-512,rsa-sha2-256
 .Pp
 Certificates signed using other algorithms will not be accepted for
 public key or host-based authentication.
-.It Cm ChallengeResponseAuthentication
-Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or through authentication styles supported in
-.Xr login.conf 5 )
-The default is
-.Cm yes .
 .It Cm ChrootDirectory
 Specifies the pathname of a directory to
 .Xr chroot 2
@@ -874,15 +868,17 @@ for interactive sessions and
 for non-interactive sessions.
 .It Cm KbdInteractiveAuthentication
 Specifies whether to allow keyboard-interactive authentication.
+All authentication styles from
+.Xr login.conf 5
+are supported.
+The default is
+.Cm yes .
 The argument to this keyword must be
 .Cm yes
 or
 .Cm no .
-The default is to use whatever value
 .Cm ChallengeResponseAuthentication
-is set to
-(by default
-.Cm yes ) .
+is a deprecated alias for this.
 .It Cm KerberosAuthentication
 Specifies whether the password provided by the user for
 .Cm PasswordAuthentication

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list